1. Home
  2. pfSense Packages
  3. IDS/IPS
  4. Suricata inline mode stops after interface restart

Suricata inline mode stops after interface restart

  • T

    If I start/restart an interface while Inline mode is enabled it stops detecting and generating alerts. I then have to turn off the Inline mode, restart the interface then turn on Inline mode again for alerts to be detected. If I restart the interface again the alerts stop so I have to go through the process of disabling Inline Mode again.

    I'm running pfsense on a brand new Protectli FW4 with a J3160 CPU, 8GB RAM and intel i210-AT NICs so I don't think hardware is the issue.

    I've tried removing Suricata (including the setting) and setting everything up from scratch but the same thing happens when I restart an interface.

    Any help would be much appreciated.

    0
  • bmeeks

    What version of pfSense are you running?

    Inline IPS Mode uses the netmap kernel device within FreeBSD. The API for that device is different between FreeBSD-11.3 (which the underlying OS for pfSense-2.4.5) and FreeBSD-12.1 (which is the underlying OS for pfSense-2.5). It is expected behavior for the netmap device to "down" and then "up" an interface when a netmap connection is "closed" and then "opened" by the Suricata binary. This is behavior the netmap device itself controls, and not something Suricata can stop.

    FreeBSD-12.1 has a new iflib wrapper API library for network card drivers to use. That API handles a lot of common functions now with regards to networking with the kernel that were formerly handled by code inside each NIC driver provided by the manufactureres. So that's why I asked about he pfSense version.

    I have not had another report of that kind of error. By turning off Inline Mode and restarting the interface, you are activating the PCAP mode using the libpcap library, and thus unhooking the netmap device from the NIC driver. It could be this is something unique to the particular NIC hardware you have. What driver family name is FreeBSD assigning to your NIC?

    0
  • T

    Looking at the pfsense version I get the following info.

    2.4.5-RELEASE-p1 (amd64)
    built on Tue Jun 02 17:51:17 EDT 2020
    FreeBSD 11.3-STABLE

    From my understanding that is the latest version as I only recently installed it the other day after purchasing the hardware. Inline mode seems to be stable prior to restarting the interface so I can get it working. The problem is if an interface restarts due to error suricata will stop working.

    0
  • bmeeks

    Yes, you have the current version of pfSense RELEASE. And FreeBSD-11.3 is not using the iflib subsystem.

    I'm not sure what could up with your setup. Thus far I've gotten no other reports like yours. Unfortunately I do not have anything to test on that has that NIC in it.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy